Page MenuHomePhabricator
Create Task
Maniphest T277438

Move management routers ssh port
Open, LowPublic
Actions

Description

The management routers have ssh open to the world for OOB access.
As it listens on the standard port 22/tcp, it's subject to a lot of bruteforce attempts
They're all unsuccessful as we use key auth, which has been improved with T163969, but those are still:
1/ flooding the logs
2/ occasionally overwhelming the CPU

The next step is to move the ssh port to a different port (eg. 2222) to reduce most of those attempts.

The .ssh/config file will need to be updated accordingly so normal and emergency access stays smooth.

Details

SubjectRepoBranchLines +/-
Management routers: move ssh port to 2222operations/homer/publicmaster+18 -3
Allow different port than default 22operations/software/homermaster+23 -12
Management routers: move ssh port to 2222operations/homer/publicmaster+8 -4
Rancid: use port 2222 for mgmt routersoperations/puppetproduction+6 -6
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT277438 Move management routers ssh port
Unknown Object (Task)
Unknown Object (Task)
Unknown Object (Task)
 ResolvedRobHT294872 Q2(Need By: TBD) rack/setup/install new mr1-eqsin
Unknown Object (Task)
 Resolved CmjohnsonT294474 Q2:(Need By: TBD) replace mr1-eqiad

Event Timeline

ayounsi triaged this task as Low priority.Mar 15 2021, 8:54 AM
ayounsi created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 15 2021, 8:54 AM
Maintenance_bot added a project: SRE.Mar 15 2021, 8:57 AM
crusnov subscribed.Mar 17 2021, 4:12 PM
ayounsi added a comment.Mar 24 2021, 8:42 AM

This is not supported by 3/5 of our management routers. They will need to be replaced by more recent gear anyway.

ayounsi mentioned this in Unknown Object (Task).Mar 24 2021, 8:53 AM
ayounsi added a subtask: Unknown Object (Task).
RhinosF1 subscribed.Mar 24 2021, 8:54 AM
Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 9:00 PM
ayounsi added a comment.Aug 23 2021, 11:17 AM

I changed the LibreNMS check to exclude management routers.
To revert once this task is done:

Processor usage over 85% EXCEPT Management routers

cmooney mentioned this in T289820: 2021-08-26 Primary inbound port utilisation over 80% page for mr1-esams.wikimedia.org.Aug 27 2021, 4:41 PM
RobH closed subtask Unknown Object (Task) as Resolved.Nov 5 2021, 7:56 PM
gerritbot added a comment.Apr 22 2022, 7:51 AM

Change 785274 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/homer/public@master] Management routers: move ssh port to 2222

https://gerrit.wikimedia.org/r/785274

gerritbot added a project: Patch-For-Review.Apr 22 2022, 7:51 AM
ayounsi added a comment.Feb 20 2023, 10:42 AM

Before we merge/deploy any of those changes, Rancid and Homer use 22 as default SSH port.
Rancid supports adding :22 after the hostname according to this comment.

Homer will need a patch to support custom ports.

gerritbot added a comment.Feb 20 2023, 11:02 AM

Change 890394 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/software/homer@master] Allow different port than default 22

https://gerrit.wikimedia.org/r/890394

gerritbot added a comment.Feb 20 2023, 12:02 PM

Change 890402 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/puppet@production] Rancid: use port 2222 for mgmt routers

https://gerrit.wikimedia.org/r/890402

gerritbot added a comment.Feb 21 2023, 1:03 PM

Change 890811 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/homer/public@master] Use port 2222 for management router ssh

https://gerrit.wikimedia.org/r/890811

gerritbot added a comment.Feb 21 2023, 1:12 PM

Change 785274 abandoned by Ayounsi:

[operations/homer/public@master] Management routers: move ssh port to 2222

Reason:

Squash fail... Change moved to I8fab3debc72ee51271ee71060ea72ba1beaab73d

https://gerrit.wikimedia.org/r/785274

gerritbot added a comment.Apr 5 2023, 12:57 PM

Change 890394 merged by jenkins-bot:

[operations/software/homer@master] Allow different port than default 22

https://gerrit.wikimedia.org/r/890394

ayounsi mentioned this in rOSHOc0c4816c6bd7: Allow different port than default 22.Apr 5 2023, 3:04 PM
ayounsi added a comment.Mon, Apr 15, 9:21 PM

We might have to re-prioritize this task because of T362522: mr1-eqsin performance issue

ayounsi mentioned this in T362522: mr1-eqsin performance issue.Mon, Apr 15, 9:22 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL